Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Intermediate certificate (How to install Thawte intermediate certificate)
  •  
jwozniak

Messages: 6
Karma: 0
Send a private message to this user
Hi,

I just renewed my SSL certificate. It seems that Thawte started signing the certificates with an intermediate cert. So when I installed my renewed certificate the users started calling and complaining that their browsers reject it. I found an information on thawte support pages that I need to install an intermediate certificate on the web server and this will allow my certificate to be verified (there are instructions for apache: search.thawte.com/support/ssl-digital-certificates/index?pag e=content&id=SO14822 and IIS search.thawte.com/support/ssl-digital-certificates/index?pag e=content&id=SO15171&actp=search&viewlocale=en_U S&searchid=1282614432001 - I cannot use the http prefix on the forum yet).

I cannot find a way to install an intermediate crt file in Kerio. Could you please help me?

Greetings,
Jack

[Updated on: Tue, 09 November 2010 12:34]

  •  
freakinvibe

Messages: 1467
Karma: 54
Send a private message to this user
Look in the Kerio manual, there is a chapter about Intermediate Certificates:

http://manuals.kerio.com/kms/en/sect-kmscert.html
(end of page):

Quote:
Intermediate certificates

Kerio MailServer allows authentication by so called "intermediate" certificate. To make authentication by these certificates work, it is necessary to add the certificates to Kerio MailServer by using any of the following methods:

Locally

Add the "intermediate" certificate file to the /sslca directory and copy the server's certificate with the private key to the /sslcert directory. Both directories can be found in the directory where Kerio MailServer is installed.
Remotely via the Kerio Administration Console

Remote import can be performed as follows:

1. Open the server's certificate and the "intermediate" certificate in any text editor.

2. In the "intermediate" certificate, select the certificate's string and copy it to the server certificate file next to the string of the server certificate.

3. Save the certificate.

4. Open the Kerio Administration Console and go to the section referring to SSL certificates.

5. Import the server's certificate by using the Import → Import new certificate option.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
jwozniak

Messages: 6
Karma: 0
Send a private message to this user
I've created a new text file and pasted both certificates. It worked! Thank you very much for your quick help.
  •  
chrisrosa

Messages: 43
Karma: 0
Send a private message to this user
I'm in the same boat. I've combined my key and the intermediate key as described in section 16.1 of the manual, however when I click the import botton, it says I need both the key and the crt files. What's the appropriate key file to go along with the combined crt file?

Thanks
  •  
jwozniak

Messages: 6
Karma: 0
Send a private message to this user
Hmm, I simply concatenated two certificate files using the console:
cat my_certificate thawte_intermediate_certidicate > kerio_certificate

Make sure that:
- you obtained the correct intermediate certificate from thawte
- you combine the certificate in the same order - first yours, then Thawte's.

Greetings
  •  
chrisrosa

Messages: 43
Karma: 0
Send a private message to this user
Mine is actually from Comodo, but same idea. Comodo sends a zip file containing three certs...the root, intermediate and server files. I have my cert and the intermediate in a single file in that order.

So you just left the ".key" field blank in the import new certificate dialog? I guess I can try the manual instructions and place the file in the sslca dir, but it seems odd that the method with the web console isn't working.

Thanks for the quick reply...
  •  
freakinvibe

Messages: 1467
Karma: 54
Send a private message to this user
Comodo?

http://www.f-secure.com/weblog/archives/00002128.html

Do you really want to trust them? Big breach back in March 2011.

Dexion AG - The Blackberry Specialists in Switzerland
http://www.dexionag.ch
  •  
jwozniak

Messages: 6
Karma: 0
Send a private message to this user
I didn't use the admin console. I just stopped the kms service, replaced the certificate file and started the service.
  •  
chrisrosa

Messages: 43
Karma: 0
Send a private message to this user
Quote:
Comodo?

http://www.f-secure.com/weblog/archives/00002128.html

Do you really want to trust them? Big breach back in March 2011.


Thanks for the link. Yes I'm aware of the breach. Some certificates were forged and have since been revoked, which doesn't impact the security provided by my certificate. That being said, I'll probably go elsewhere when this one expires.

[Updated on: Wed, 21 September 2011 19:04]

  •  
chrisrosa

Messages: 43
Karma: 0
Send a private message to this user
jwozniak wrote on Wed, 21 September 2011 08:44
I didn't use the admin console. I just stopped the kms service, replaced the certificate file and started the service.


Thanks... I'll try the alternate "local" method.
  •  
Pavel Dobry (Kerio)

Messages: 5141
Karma: 241
Send a private message to this user
chrisrosa wrote on Wed, 21 September 2011 16:36
Mine is actually from Comodo, but same idea. Comodo sends a zip file containing three certs...the root, intermediate and server files. I have my cert and the intermediate in a single file in that order.

So you just left the ".key" field blank in the import new certificate dialog? I guess I can try the manual instructions and place the file in the sslca dir, but it seems odd that the method with the web console isn't working.

Thanks for the quick reply...


The "private key" .key file is required when creating new SSL certificate (or CSR request for signing by CA). If you haven't provide CSR to your CA, then they probably created the key and CSR on your behalf and the private key is included in the .zip file.
You always need:
- private key (.key)
- server SSL certificate (.crt)
- (optionally) intermediate CA certificate.

Knowledge Base: http://kb.kerio.com/.
Technical support: http://www.kerio.com/support
------------------
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
Spacey

Messages: 143
Karma: -7
Send a private message to this user
I'm kinda stuck here. So far I renewed 2 times my Thawte 123 cert without any problems. Unfortunately it doesn't work right now. I can't simple renew and re-upload the new Thawte signed cert - Firefox gives me "sec_error_unknown_issuer" errors. So I googled and tried to implement the Thawte intermediate certificate (put the int. cert. behind the signed Thawte domain cert and then upload into Kerio). Last try did somehow work (got an error after uploading "private ssl-key can't be loaded - key values mismatch" (got the error in german) and then switching to this cert did work but kerio won't start at all after this. So I needed to grab my mailserver.cfg from a backup and my kerio worked again - phew. Any ideas what to do?

I used this primary intermediate cert from Thawte: https://search.thawte.com/support/ssl-digital-certificates/i ndex?page=content&actp=CROSSLINK&id=AR1371

Thanks!

Solution: The problem was the wrong intermediate certificate - this one has to be used ->

https://search.thawte.com/support/ssl-digital-certificates/i ndex?page=content&actp=CROSSLINK&id=AR2157

I created a textfile with my signed domain cert first and then postet these 2 intermediates below and imported that into my kerio server ans an answear to the request.

[Updated on: Wed, 21 January 2015 10:47]

  •  
gommog

Messages: 8
Karma: -3
Send a private message to this user
None of the above worked for me, I keep getting message "Cannot load SSL certificate file. Error: error:0906D066:PEM routines:PEM_read_bio:bad end line." I got my server and intermediate certificate supplied by Thawte in an email, I first tried importing just my server certificate and this worked fine. I then using notepad added the intermediate certificate to the server cert and tried to import using the same server key, that's when I get the error. I've tried just putting the intermediate certifcat in the sslca folder but this appears to do nothing.

The cert end line is
-----END CERTIFICATE-----

Exactly this with five hyphens before and after the text, each line in the certificate is 64 characters.
  •  
Spacey

Messages: 143
Karma: -7
Send a private message to this user
The windows notepad is not a very good editor for such things. Please use "notepad++" - https://notepad-plus-plus.org

"bad end line" sounds like some crazy enconding problem to me!
gommog

Messages: 8
Karma: -3
Send a private message to this user
I've already tried notepad++ and still get the same issue
Previous Topic: Where are my SPAM messages going?
Next Topic: Importing an SSL certificate
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Dec 03 22:51:03 CET 2016

Total time taken to generate the page: 0.02383 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.